[webkit-changes] [WebKit/WebKit] 13cb98: Cherry-pick 289023 at main (9649ee33c20c). https://bu...
Tim Nguyen
noreply at github.com
Wed Jan 29 02:40:40 PST 2025
Branch: refs/heads/webkitglib/2.46
Home: https://github.com/WebKit/WebKit
Commit: 13cb9849480200e6f402529b1580f759f885d81a
https://github.com/WebKit/WebKit/commit/13cb9849480200e6f402529b1580f759f885d81a
Author: Pratiksha Choudhury <p_choudhury at apple.com>
Date: 2025-01-29 (Wed, 29 Jan 2025)
Changed paths:
A LayoutTests/fast/css/css-typed-om/css-builder-converter-initial-letter-crash-expected.txt
A LayoutTests/fast/css/css-typed-om/css-builder-converter-initial-letter-crash.html
M Source/WebCore/css/CSSQuadValue.cpp
M Source/WebCore/css/CSSQuadValue.h
M Source/WebCore/css/typedom/StylePropertyMap.cpp
Log Message:
-----------
Cherry-pick 289023 at main (9649ee33c20c). https://bugs.webkit.org/show_bug.cgi?id=285459
ASAN_TRAP in Style::BuilderConverter::convertInitialLetter
https://bugs.webkit.org/show_bug.cgi?id=285459
rdar://141024836
Reviewed by Matthieu Dubet and Ryosuke Niwa.
Added a check to verify the CSSQuad value else throw TypeError.
* LayoutTests/fast/css/css-typed-om/css-builder-converter-initial-letter-crash-expected.txt: Added.
* LayoutTests/fast/css/css-typed-om/css-builder-converter-initial-letter-crash.html: Added.
* Source/WebCore/css/CSSQuadValue.cpp:
(WebCore::CSSQuadValue::CSSQuadValue):
(WebCore::CSSQuadValue::canBeCoalesced const):
* Source/WebCore/css/CSSQuadValue.h:
* Source/WebCore/css/typedom/StylePropertyMap.cpp:
(WebCore::StylePropertyMap::set):
Canonical link: https://commits.webkit.org/289023@main
Canonical link: https://commits.webkit.org/282416.410@webkitglib/2.46
Commit: a291061dd6222f5f4671184f77688851541d6027
https://github.com/WebKit/WebKit/commit/a291061dd6222f5f4671184f77688851541d6027
Author: Chris Dumez <cdumez at apple.com>
Date: 2025-01-29 (Wed, 29 Jan 2025)
Changed paths:
M Source/JavaScriptCore/runtime/StructureInlines.h
Log Message:
-----------
Cherry-pick 288298 at main (b88f3785dca4). https://bugs.webkit.org/show_bug.cgi?id=285158
Null deference under JSC::Structure::shouldConvertToPolyProto()
https://bugs.webkit.org/show_bug.cgi?id=285158
Reviewed by Darin Adler.
Null deference under JSC::Structure::shouldConvertToPolyProto(), which is undefined behavior.
This was found by adding a RELEASE_ASSERT() under `RefPtr::operator->()`:
* Source/JavaScriptCore/runtime/StructureInlines.h:
(JSC::Structure::shouldConvertToPolyProto):
Canonical link: https://commits.webkit.org/288298@main
Canonical link: https://commits.webkit.org/282416.411@webkitglib/2.46
Commit: 5e79c9a1da8c7a945e391bb0f4a4b34a275c61c7
https://github.com/WebKit/WebKit/commit/5e79c9a1da8c7a945e391bb0f4a4b34a275c61c7
Author: Jessica Lee <jlee53 at apple.com>
Date: 2025-01-29 (Wed, 29 Jan 2025)
Changed paths:
M LayoutTests/js/dom/webidl-type-mapping-expected.txt
M LayoutTests/js/dom/webidl-type-mapping.html
M Source/WebCore/bindings/js/JSDOMConvertRecord.h
Log Message:
-----------
Cherry-pick 287506 at main (d78f8ae748e3). https://bugs.webkit.org/show_bug.cgi?id=284132
JSC::JSValue convert of JSConverter<IDLRecord<K, V>> crashes when converting an input WebCore::IDLRecord<WebCore::IDLUSVString, WebCore::IDLUnion<WebCore::IDLUndefined, WebCore::IDLUSVString>>
https://bugs.webkit.org/show_bug.cgi?id=284132
rdar://141017497
Reviewed by Chris Dumez and Sihui Liu.
According to spec https://webidl.spec.whatwg.org/#js-record, we should use <bool createDataProperty(JSGlobalObject*, PropertyName, JSValue, bool shouldThrow)> to convert a native object to a IDL Record, not putDirect which is what's currently implemented and incorrectly assumes that the input property name is not an index.
* LayoutTests/js/dom/webidl-type-mapping-expected.txt:
* LayoutTests/js/dom/webidl-type-mapping.html:
* Source/WebCore/bindings/js/JSDOMConvertRecord.h:
Canonical link: https://commits.webkit.org/287506@main
Canonical link: https://commits.webkit.org/282416.412@webkitglib/2.46
Commit: c8b37e7361b3dfe36d08bd5e6d522086413adf16
https://github.com/WebKit/WebKit/commit/c8b37e7361b3dfe36d08bd5e6d522086413adf16
Author: Tim Nguyen <ntim at apple.com>
Date: 2025-01-29 (Wed, 29 Jan 2025)
Changed paths:
M LayoutTests/inspector/css/getMatchedStylesForNodeBackdropPseudoId.html
A LayoutTests/inspector/css/getMatchedStylesForNodeViewTransitionPseudoElements-expected.txt
A LayoutTests/inspector/css/getMatchedStylesForNodeViewTransitionPseudoElements.html
M Source/WebCore/inspector/agents/InspectorCSSAgent.cpp
Log Message:
-----------
Cherry-pick 287254 at main (c303cfb174dd). https://bugs.webkit.org/show_bug.cgi?id=283574
Web Inspector crashes due to using erroneous `PseudoElementIdentifier`
https://bugs.webkit.org/show_bug.cgi?id=283574
rdar://140243623
Reviewed by Devin Rousso.
Skip named view transition pseudo-elements until we're able to pass a proper `PseudoElementIdentifier` into
`pseudoStyleRulesForElement`, and once we properly support named view transition pseudo-elements.
* LayoutTests/inspector/css/getMatchedStylesForNodeBackdropPseudoId.html:
* LayoutTests/inspector/css/getMatchedStylesForNodeViewTransitionPseudoElements-expected.txt: Added.
* LayoutTests/inspector/css/getMatchedStylesForNodeViewTransitionPseudoElements.html: Added.
* Source/WebCore/inspector/agents/InspectorCSSAgent.cpp:
(WebCore::InspectorCSSAgent::getMatchedStylesForNode):
Canonical link: https://commits.webkit.org/287254@main
Canonical link: https://commits.webkit.org/282416.413@webkitglib/2.46
Compare: https://github.com/WebKit/WebKit/compare/33766a2ff194...c8b37e7361b3
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list